Life Safety Meets Cyber Threats: The Urgent Need for Layered Protection
By: Dr. Rodger Reiswig, SET, PMSFPE
Threats from cyber-attacks are not new in our world. However, as life safety systems become more connected every day, it has become incumbent on manufacturers, designers, and end users to become aware of potential attacks from bad actors.
In cases where bad actors have infiltrated a building system, often times we find the attack was not to gain access to the particular system to do harm, but rather to use the system as a vehicle to gain access to the end user’s network to obtain access to protected data such as point of sale terminals, customers’ personal information, or simply to hold the system hostage and extort finances from the end user.
NFPA 72 “The National Fire Alarm and Signaling Code” has created language in the 2025 edition to provide guidance to designers, installers, and end users on cybersecurity. There is a new chapter 11 entitled simply “Cybersecurity”. The chapter was actually introduced in the 2022 edition of NFPA 72, but there was basically only one paragraph with significant annex material. For the 2025 edition, NFPA 72 brought much of the annex material into the body of the code and enhanced it as well.
When we think of cybersecurity threats and how to stop or deter potential attacks, the first place that needs to be looked at is the manufacturer’s product. Attacks don’t just come from vulnerabilities in a product’s software but can be embedded from component providers to manufacturers. For example, if a microprocessor is provided by a manufacturer to a life safety manufacturer, they need to make sure that there are not any software vulnerabilities, malware (malicious software), or other forms of potential risk to the overall life safety system.
Once a system is created, the executive software, gateways, and other systems should be reviewed for exposure that might present an opening for a potential attack. To guide manufacturers with this, NFPA 72 has created categories for life safety systems that are network connectable. As a point of clarification, if systems are not network-connectible, then it stands to reason that a threat from an outside attack could not occur, and cybersecurity prevention would not be warranted. Therefore, if a person cannot access the system in the first place because it is not network-connected, then there is no chance of infiltration into that system. Not connecting a system to the customer’s network is the best prevention of cyberattacks. However, many systems today offer options to connect to the “outside world” or network allowing remote diagnostics for the service provider or even the end user. Some systems offer options for remote inspections where a qualified inspector on-site could use a remote person to assist and document the inspection. Some systems provide routine reports on how the system is functioning as well as many other services.
Our world is more connected today than it ever has been and will be even more connected in the future. With that, NFPA 72 has created security levels, SL1, SL2, and SL3. Each level defines or provides guidance on risk levels based on how a system is installed and connected. Within each security level there are examples of some of the major ways to help protect the equipment from the manufacturing level.
- ANSI/ISA/IEC 62443-4-2, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS Components
- ANSI/ISA/IEC 62443-3-3, Security for Industrial Automation and Control Systems, Part 3-3: System Security Requirements and Security Levels
- CAN/UL 2900-2-3, Software Cybersecurity for Network-Connectable Products, Part 2-3: Particular Requirements for Security and Life Safety Signaling Systems
Although the above are the major ways to provide or help evaluate equipment’s’ ability to withstand an attack, there are other ways that may be acceptable to the designer and the Authority Having Jurisdiction (AHJ).
Mitigating attacks caused by bad actors does not stop with the manufacturer. The designer and the end user both play key roles. A designer plays a large part in the overall cybersecurity prevention of a life safety system. NFPA 72 for chapter 11 has a charging paragraph at the very beginning to underline this. In section 11.1.1, NFPA 72 states “Where required by governing laws, codes, or standards, or other parts of this Code, cybersecurity shall be provided in accordance with Chapter 11 for equipment software, system support tools, installation methods, physical security of and access to equipment, data pathways, testing, and maintenance.” The onus is not just with the manufacturer, each step of the installation, ongoing maintenance, and system owner responsibilities also play key parts. If any of the above steps are ignored or not in place, a gap could exist that allows unwanted access by a bad actor.
Within NFPA 72, the system owner receives guidance as well as what responsibilities, at a minimum, they need to adhere to. One item that the owner is responsible for in the overall scheme of cybersecurity attack prevention deals with unused physical data ports on an IT system where a life safety system connects. The IT system’s owner is responsible for where a life safety system connects and for its protection from unauthorized access. It is necessary for a process to be in place for the IT system to administratively disable unused ports. Lastly, NFPA 72 requires that the IT system that connects to the life safety system be configured to require a token-based authentication, certificate-based authentication, password, or other methods that are consistent with the security requirements of the system.
Another aspect of the overall cybersecurity prevention system requires that data connections to external networks are isolated. Section 11.7 of NFPA 72 states “When any data connection is made from the system to an external network, the connection shall be protected by a gateway or firewall that ensures that only trusted traffic is allowed to pass”.
Life safety system manufacturers, designers, installers, and end users all play a vital role in cybersecurity prevention.
